[OpenID] Fwd: [OpenID Foundation] New Poll Opened

Breno de Medeiros breno at google.com
Sat Mar 21 02:13:44 UTC 2009 

It is interesting how a discussion on a relatively simple extension proposal
which was motivated by:

1. Users saying in usability study after usability study that they are more
comfortable with the Facebook-Connect style login flow than the full browser
redirect model.

2. Potential RPs demanding popup UI flows in order to adopt the scheme as
they do not want their users to lose the context of their site.

3. IDPs listening to the same demand again and again and deciding to propose
an _optional_ feature that RPs can choose to interact with their users

Became a philosophical discussion on issues from user-centric philosophy to
anti-phishing to trust models on certificates.

Reality: The proposed WG suggests that RPs who want to can add a couple of
parameters to their URL requests to indicate to OPs (that advertize the
feature) that they embraced a fancy-dancy popup UI that makes their users
happier. They could already do this by hardcoding window sizes for the OPs
that they care about. IDPs could just document their favorite window sizes
as non-standard "enhancements" and force RPs (at least those who care for
their users) to embrace per-OP customization of window sizes as a fait
accompli.

Perception: Run for the hills: OpenID is being corrupted! It will become a
phishing haven! It has sold its soul!

Or, as every San Franciscan knows it: The city was best when I moved in, and
has gone downhill ever since. :)


On Fri, Mar 20, 2009 at 6:44 PM, Peter Williams <pwilliams at rapattoni.com>wrote:

> Openid clearly started with the OP being someone's blogsite - expecting
> there to be millions of OPs (i.e. you and me) and equal number of RPs.
> Clearly, vanity delegation was nothing more than adding a few meta tags to
> your blog's html home page, giving one the ability to use various of your
> blog site URLs faciliting portability. Even I managed to do test all that
> (in its essentially original openid1.1 form), and I'm technically
> incompetent. And  RP was an authenticated comment handler ...on someone's
> blog site. If the blog provider was hosted (by blogspot), fine. Or, a
> wordpress installation of a blog server on your enterprise gateway was just
> as legitimate to hosted blogs in livejounrnal, say. Host a serer yourself or
> be a tenant of a blogservice - it made no difference to your status as an
> OP.
>
> Now, we never hear of that world any longer. The founders seems to change
> orientation, right about the time I started focusing on openid. And to be
> fair, it was and still is the mega-OP with openid2 capabilities that drives
> our commercial interest (seeing as they can nowhandle the ~6 million
> accounts of users who occasionally come to our site, now to authenticate
> using websso - or "identity verification"). At the same time, for realtors
> themselves (vs the public who search realtor listings), the peer-peer model
> is also important; and there are a million of these (each with their own
> web2.0 portal, offering a variety of "professional" services to their
> homeowner clients).
>
> Since Openid2, all I ever hear is about yahoo, paypal, google, facebook,
> myspace and live - who will each govern (n00 million) users. The users (and
> nominal owners of a blog site) are no longer the OP: s/he is a merely
> "subscriber" to an OP service - which will "speak for" the "site owner"
> under their brand rather than the individual's "brand". The rules and
> interaction with an RP will be the OP's decision (no longer the subscriber).
> If the subscriber wants to do this or that trust model with the RPs, it is
> now irrelevant. You want to use Yahoo, it WILL be ssl and their UI design
> rules (whether the original OP/site wants it, or not).
>
> Am I wrong that the founders (who obviously knowingly migrated to the world
> of openid2, and directed id in particular) changed focus? Did you move the
> notion of  OPs from being those x00,000 owners of blog sites (who can set
> their own policy) to the (small number of) large portal firms that now host
> n00,000 "tenants" each - all acting under a single brand and security
> policy?
>
>
> > -----Original Message-----
> > From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> > Behalf Of Martin Atkins
> > Sent: Friday, March 20, 2009 4:27 PM
> > To: general at openid.net
> > Subject: Re: [OpenID] Fwd: [OpenID Foundation] New Poll Opened
> >
> > Peter Williams wrote:
> > >
> > > OpenID on the
> > > other hand started peer/peer, and is rapidly he[Peter Williams]  adding
> into the TTP
> > space
> > > (where I suspect its founders wanted it all along).
> > >
> >
> > Your suspicions are incorrect.
> >
> > Its "founders" (which I choose to understand as those who started the
> > project, which started with Brad Fitzpatrick and fanned out to a number
> > of others including myself) imagined it originally as a solution to the
> > problem of allowing users of LiveJournal.com to leave comments on
> > DeadJournal.com and vice-versa; that it ended up being a user-centric,
> > decentralized system tis largely a symptom of the culture of the
> > LiveJournal developers.
> >
> > The original OpenID was designed to operate without SSL at all, with
> > parties establishing associations on the fly with no verification, and
> > it remains that way today on LiveJournal.com. Some folks wanted the
> > benefits that SSL brings, and that's fine... no-one's forcing you to
> > use
> > SSL right now. I fought SSL being a requirement for OpenID 2.0 and I
> > will continue to fight it as I believe it should be up to each party to
> > decide whether it needs the benefits SSL provides.
> >
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090320/06fd58d8/attachment-0002.htm>

More information about the general mailing list